refresh access token on app boot (#524)

refs https://github.com/TryGhost/Ghost/issues/5202 - refresh the access token after a successful authenticated application boot so that the session lifetime is continually extended
2017-02-10 13:35:45 +00:00 · 2017-02-10 13:35:45 +00:00 · 68e59de195
parent 942d01cd04
commit 68e59de195
2 changed files with 46 additions and 0 deletions
--- a/app/routes/application.js
+++ b/app/routes/application.js
@ -42,6 +42,16 @@ export default Route.extend(ApplicationRouteMixin, ShortcutsRoute, {
            transition.send('loadServerNotifications');
            transition.send('checkForOutdatedDesktopApp');

+            // trigger a background refresh of the access token to enable
+            // "infinite" sessions. We also trigger a logout if the refresh
+            // token is invalid to prevent attackers with only the access token
+            // from loading the admin
+            let session = this.get('session.session');
+            let authenticator = session._lookupAuthenticator(session.authenticator);
+            if (authenticator && authenticator.onOnline) {
+                authenticator.onOnline();
+            }
+
            // return the feature loading promise so that we block until settings
            // are loaded in order for synchronous access everywhere
            return this.get('feature').fetch();
--- a/tests/acceptance/authentication-test.js
+++ b/tests/acceptance/authentication-test.js
@ -14,6 +14,7 @@ import {authenticateSession, invalidateSession} from 'ghost-admin/tests/helpers/
 import {Response} from 'ember-cli-mirage';
 import windowProxy from 'ghost-admin/utils/window-proxy';
 import ghostPaths from 'ghost-admin/utils/ghost-paths';
+import OAuth2Authenticator from 'ghost-admin/authenticators/oauth2';

 const Ghost = ghostPaths();

@ -29,6 +30,41 @@ describe('Acceptance: Authentication', function () {
        destroyApp(application);
    });

+    describe('token handling', function () {
+        beforeEach(function () {
+            // replace the default test authenticator with our own authenticator
+            application.register('authenticator:test', OAuth2Authenticator);
+
+            let role = server.create('role', {name: 'Administrator'});
+            server.create('user', {roles: [role], slug: 'test-user'});
+        });
+
+        it('refreshes app tokens on boot', function () {
+            /* eslint-disable camelcase */
+            authenticateSession(application, {
+                access_token: 'testAccessToken',
+                refresh_token: 'refreshAccessToken'
+            });
+            /* eslint-enable camelcase */
+
+            visit('/');
+
+            andThen(() => {
+                let requests = server.pretender.handledRequests;
+                let refreshRequest = requests.findBy('url', '/ghost/api/v0.1/authentication/token');
+
+                expect(refreshRequest).to.exist;
+                expect(refreshRequest.method, 'method').to.equal('POST');
+
+                let requestBody = $.deparam(refreshRequest.requestBody);
+                expect(requestBody.grant_type, 'grant_type').to.equal('password');
+                expect(requestBody.username.access_token, 'access_token').to.equal('testAccessToken');
+                expect(requestBody.username.refresh_token, 'refresh_token').to.equal('refreshAccessToken');
+
+            });
+        });
+    });
+
    describe('general page', function () {
        beforeEach(function () {
            originalReplaceLocation = windowProxy.replaceLocation;